package com.hxz.lesson03;

import com.hxz.lesson02.utils.JdbcUtils;

import java.sql.*;

public class SQLzhuru {
    public static void main(String[] args) {
        // 正常登录
        //login("lisi","123456");
        // 非正常
        login("'' or '1=1","123456");
    }

    //登录业务
    public static void login(String username, String password) {
        Connection conn = null;
        PreparedStatement st = null;
        ResultSet rs = null;

        try {
            conn = JdbcUtils.getConnection(); // 获取数据库连接

            // PreparedStatement 防止SQL注入的本质，把传递进来的参数当作字符
            // 假如其中存在转义字符，就直接忽略，引号会被直接转义
            String sql = "SELECT * FROM users WHERE NAME=? and PASSWORD=?";
            st = conn.prepareStatement(sql); // 获取sql的执行对象
            st.setString(1,username);
            st.setString(2,password);

            rs = st.executeQuery();
            while (rs.next()){
                System.out.println("NAME="+rs.getObject("NAME"));
                System.out.println("PASSWORD="+rs.getObject("PASSWORD"));
                System.out.println("=======================");
            }
        } catch (SQLException throwables) {
            throwables.printStackTrace();
        } finally {
            JdbcUtils.release(conn,st,rs);
        }
    }
}
